Eudora Logging
From: Deus, Attonbitus (Thor@HammerofGod.com)Date: 04/25/02
- Previous message: Tompa Septimius Paul: "Re: /lib/ld-2.2.4.so"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Apr 2002 07:16:03 -0700 To: VULN-DEV@SECURITYFOCUS.COM From: "Deus, Attonbitus" <Thor@HammerofGod.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings:
This is not an advisory- there is no exploit, but I think it a valuable
piece of information for Eudora users. I'm glad Vuln-dev exists as a forum
for this kind of stuff...
The Eudora help file tells us about the Debug tag, where we may place
parameters such as LogLevel. A setting of LogLevel=127, for instance, will
cause Eurdora to write a verbose log of all incoming and outgoing
events. This includes usernames, password, and full text of all incoming
and outgoing messages. You can also set Eudora to write the .log file to
and .old file at a certain size and begin a new .log file. You may also
specify the name of the log file.
It is actually a pretty cool tool to use to debug problems (as it shows all
the client/server communications), but I don't like the fact that the
client software never tells you that this logging is taking place. Anyone
with access to the .ini file, locally or remotely, can write these entries
to Eudora's configuration. As many corporations use Eudora as a more
'secure' alternative to OE, there is a concern that shared systems or
admins will be able to trivially capture all messaging for any user.
I am fully aware that SMTP and POP3 are clear-text protocols, and that an
admin (or anyone with physical access) could install keyboard loggers,
sniffers, etc. However, even when SSL is used to encrypt the SMTP and POP3
channels, this log file still writes everything in clear text.
I have been using Eudora for a while, and require SSL for all
communications to/from the server-- I was unaware that this setting
existed. When I found out how easy it was to log everything even with
these conditions, it concerned me- that is why I post this here, so that
users of Eudora, particularly in corporate environments, would at least get
a heads-up that this configuration parameter exists, and to take that into
consideration when securing your installations.
I sent an email to the Eudora dev team asking them to simply notify the
user somewhere in the GUI that logging is enabled, but have not heard back
from them. I hope this information is of value to some.
Cheers,
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPMgPoohsmyD15h5gEQIOIwCdFnMZCpYMIvRlGc3vtKy+ClKwEDYAn0b9
SnSFoOp8c+fN9IWwNXEGiIqd
=e5aZ
-----END PGP SIGNATURE-----
- Previous message: Tompa Septimius Paul: "Re: /lib/ld-2.2.4.so"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
